The Bottom Line
- The legal responsibility for complying with COPPA remains with the ed tech provider — not schools, students or parents.
- Ed tech providers may rely on schools to authorize data collection in lieu of parental consent only if the information collected from children is used solely for educational purposes and not commercial purposes.
- The FTC’s actions send a message to ed tech providers to carefully examine their practices to ensure they are not compromising students’ privacy.
The Federal Trade Commission (FTC) filed a lawsuit against education technology company Edmodo, Inc. for allegedly collecting data from children without parental consent and using it to sell ads in violation of the Children’s Online Privacy Protection Act Rule (COPPA).
Edmodo, which closed its U.S. operations in September during the FTC investigation, provided an online platform and mobile app with virtual class spaces to host discussions and share materials and other online resources for teachers and schools in the United States. The company offered a free version of its platform that children could download on their phones and a paid product aimed toward schools and teachers. According to the complaint, both platforms collected children’s data, such as device IDs, cookies and IP addresses, to serve ads to children.
Prior FTC Warnings
COPPA requires online services and websites directed to children under age 13 to notify parents about the personal information they collect and obtain verifiable parental consent for the collection and use of that information. The FTC Policy Statement clearly put the responsibility for COPPA compliance on COPPA-covered businesses and not on schools or parents.
A proposed injunction order, filed by the Department of Justice (DOJ) on behalf of the FTC, alleges that Edmodo violated COPPA by failing to provide information about the company’s data collection practices to schools and teachers and failing to obtain verifiable parental consent. In addition, the proposed order marks the first time an FTC order has prohibited an educational technology company from requiring students to provide more personal data than is necessary to participate in an online educational activity.
The FTC claims against Edmodo include:
- Edmodo required schools and teachers to authorize data collection on behalf of parents or to notify parents about Edmodo’s data collection practices and obtain their consent; however, Edmodo failed to provide schools and teachers with the information they would need to comply in either scenario, as required by COPPA.
- The company’s terms of service were so convoluted they violated COPPA’s requirement that the terms are “clearly and understandably written”; wrongly told schools and parents that they were “solely” responsible for complying with COPPA, did not require schools and teachers to view Edmodo’s terms of service before creating an account, and failed to adequately disclose what personal information the company actually collected or indicate how schools or teachers should go about obtaining parental consent.
- Since the company collected information for non-educational purposes — specifically, commercial purposes, Edmodo could not rely on schools to authorize collection on behalf of parents for such commercial uses, as COPPA required Edmodo to obtain consent directly from parents.
- Violated COPPA by retaining personal information indefinitely until at least 2020 when it put in place a policy to delete the data after two years. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.
- In addition to violating COPPA, the FTC alleges Edmodo violated the FTC Act’s prohibition on unfair practices by relying on schools to obtain verifiable parental consent. Specifically, the FTC says that Edmodo outsourced its COPPA compliance responsibilities to schools and teachers while providing confusing and inaccurate information about obtaining consent. This is the first time the FTC has alleged an unfair trade practice in the context of an operator’s interaction with schools.
Under the proposed order, the company is required to pay $6 million in civil penalties, which would immediately be suspended due to the company’s inability to pay.
The proposed order also provides the following protections for children’s data should Edmodo resume operations in the United States:
- Prohibits the company from conditioning a child’s participation in an activity on the child disclosing more information than is reasonably necessary to participate in such activity.
- Requires the company to complete several conditions before obtaining school authorization to collect information from a child.
- Prohibits the company from using children’s information for non-educational purposes, such as advertising or building user profiles.
- Bans the company from using schools as intermediaries in the parental consent process.
- Requires the company to implement and adhere to a retention schedule that details what information it collects, what the data is used for and a time frame for deleting it.
- Requires the company to delete models or algorithms developed using personal information collected from children without verifiable parental consent or school authorization.
Warning to Other Ed Tech Companies
Why would the FTC bother expending resources to sue a company that can’t face consequences? The answer may lie in an attempt to establish precedent for the rest of the education technology industry. The FTC makes clear that other ed tech providers should carefully examine their practices to ensure they’re not compromising students’ privacy. This includes conducting periodic reassessments as their products and practices change.